02-05-2019 03:11 PM
Hi,
Trying to create an endpoint using the API while CSRF Check is enabled; everything works if that check is disabled.
Using Python3, sending a GET request first to 'fetch' the token and then feeding that back into the headers for a POST request to /ers/config/endpoint.
Here's my initial GET request and response that works:
GET /ers/config/endpointgroup/name/groupGreen HTTP/1.1 Host: 10.81.127.170:9060 Accept-Encoding: identity accept: application/json content-type: application/json authorization: Basic [redacted] cache-control: no-cache X-CSRF-TOKEN: fetch --------------------- Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONIDSSO=9E81D20C04095E5C0F82668222D54193; Path=/; Secure; HttpOnly Set-Cookie: APPSESSIONID=5AFA8F314D99A5921C61817BCF21997D; Path=/ers; Secure; HttpOnly X-CSRF-Token: C883A27FBEA77E4BAAF85028FD0E229E Pragma: no-cache ETag: "D5755A00DC6F46C650D6B5D8E550DBE0" Date: Tue, 05 Feb 2019 22:59:13 GMT Content-Type: application/json;charset=utf-8 Content-Length: 322
So I have my CSRF token to feed into the POST to add the endpoint:
POST /ers/config/endpoint HTTP/1.1 Host: 10.81.127.170:9060 Accept-Encoding: identity Content-Length: 183 X-CSRF-Token: C883A27FBEA77E4BAAF85028FD0E229E accept: application/json content-type: application/json authorization: Basic [redacted] cache-control: no-cache ------------------ Status: 404 Set-Cookie: JSESSIONIDSSO=C4AF34E0D41D8D0CEBC9309A0F7777E6; Path=/; Secure; HttpOnly Set-Cookie: APPSESSIONID=E45F80818D77D32377B8F3F3C0351B97; Path=/ers; Secure; HttpOnly X-CSRF-Token: Required Content-Length: 0 Date: Tue, 05 Feb 2019 22:59:13 GMT
Why is my token not accepted?
Is this CSCvi80094? Not sure a 403 Forbidden would actually help me here.
Thanks,
Mike.
Solved! Go to Solution.
03-02-2022 09:00 AM - edited 03-02-2022 09:02 AM
I had the same issue. You need to handle the csrf token AND the cookie:
1) Fetch the token and save it, save the cookie as well
headers = { 'content-type': "application/json", 'accept': "application/json", 'authorization': encoded_auth_token, 'cache-control': "no-cache", 'X-CSRF-TOKEN': "fetch" } response = requests.request("GET", url, headers = headers) my_token = response.headers['X-CSRF-Token'] my_cookie = response.cookies
2) Then do your POST API calls with the saved csrf token and the cookie:
cookies = my_cookie headers = { 'content-type': "application/json", 'accept': "application/json", 'authorization': encoded_auth_token, 'cache-control': "no-cache", 'X-CSRF-TOKEN': my_token } payload = {} response = requests.request("POST", url, headers = headers, data=json.dumps(payload), cookies=cookies) print(response.content)
Voila.
Hope it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide